<div dir="ltr">Thanks Cory!<div>That explains the issue so looks like the cipher being set by the client just that i need to server support.</div><div><br></div><div>Thanks,</div><div>Karan.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jul 3, 2017 at 7:35 AM, <span dir="ltr"><<a href="mailto:cryptography-dev-request@python.org" target="_blank">cryptography-dev-request@python.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Cryptography-dev mailing list submissions to<br>
<a href="mailto:cryptography-dev@python.org">cryptography-dev@python.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://mail.python.org/mailman/listinfo/cryptography-dev" rel="noreferrer" target="_blank">https://mail.python.org/<wbr>mailman/listinfo/cryptography-<wbr>dev</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:cryptography-dev-request@python.org">cryptography-dev-request@<wbr>python.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:cryptography-dev-owner@python.org">cryptography-dev-owner@python.<wbr>org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Cryptography-dev digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. set_cipher_list() API Question (Karan karan)<br>
2. Re: set_cipher_list() API Question (Tristan Seligmann)<br>
3. Re: set_cipher_list() API Question (Karan karan)<br>
4. Re: set_cipher_list() API Question (Cory Benfield)<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>----------<br>
<br>
Message: 1<br>
Date: Mon, 3 Jul 2017 06:18:51 -0700<br>
From: Karan karan <<a href="mailto:karan7868@gmail.com">karan7868@gmail.com</a>><br>
To: <a href="mailto:cryptography-dev@python.org">cryptography-dev@python.org</a><br>
Subject: [Cryptography-dev] set_cipher_list() API Question<br>
Message-ID:<br>
<<a href="mailto:CAKFSe%2BYD9YHZNzSC2oodU89hiMJGRDwySmg8Y_UwsmJbAjtiXA@mail.gmail.com">CAKFSe+<wbr>YD9YHZNzSC2oodU89hiMJGRDwySmg8<wbr>Y_UwsmJbAjtiXA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi,<br>
<br>
I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-<wbr>SHA256')<br>
the cipher list using the API: set_cipher_list but im getting the following<br>
error :<br>
<br>
kjoshi@ubuntu64dev:~/openssl_<wbr>playground$ python test_ex.py<br>
------------------------------<wbr>-----<br>
connected ('192.168.152.132', 443)<br>
Traceback (most recent call last):<br>
File "test_ex.py", line 83, in <module><br>
main()<br>
File "test_ex.py", line 65, in main<br>
cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()<br>
File "test_ex.py", line 25, in create_ssl_connection<br>
cont.set_cipher_list('ECDHE+<wbr>ECDSA+AES128+GCM+SHA256')<br>
File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/SSL.py", line 975, in<br>
set_cipher_list<br>
File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/_util.py", line 67, in<br>
openssl_assert<br>
File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/_util.py", line 54, in<br>
exception_from_error_queue<br>
OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher<br>
match')]<br>
<br>
<br>
Below is the code that i have:<br>
<br>
cont = Context(TLSv1_2_METHOD)<br>
#cont.set_cipher_list('0xc00e'<wbr>)<br>
#cont.set_cipher_list('ECDHE+<wbr>ECDSA+AESGCM+SHA256')<br>
#cont.set_cipher_list('ECDHE-<wbr>ECDSA-AES128-GCM-SHA256')<br>
cont.set_cipher_list('ECDHE+<wbr>ECDSA+AES128+GCM+SHA256')<br>
client_ssl = Connection(cont, client)<br>
client_ssl.set_connect_state()<br>
client_ssl.do_handshake()<br>
session_ref = client_ssl.get_session()<br>
<br>
<br>
As seen above i tried numerous combination of word separators (_,-,+) but<br>
nothing seemed to have helped.<br>
<br>
I would appreciate if someone could please let me know on the usage of<br>
this.I'm sure there must be a way of sending a specific cipher.<br>
I'm performing a test on my local apache server.<br>
<br>
Thanks,<br>
Karan.<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mail.python.org/pipermail/cryptography-dev/attachments/20170703/636a4ae8/attachment-0001.html" rel="noreferrer" target="_blank">http://mail.python.org/<wbr>pipermail/cryptography-dev/<wbr>attachments/20170703/636a4ae8/<wbr>attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Mon, 03 Jul 2017 14:09:51 +0000<br>
From: Tristan Seligmann <<a href="mailto:mithrandi@mithrandi.net">mithrandi@mithrandi.net</a>><br>
To: <a href="mailto:cryptography-dev@python.org">cryptography-dev@python.org</a><br>
Subject: Re: [Cryptography-dev] set_cipher_list() API Question<br>
Message-ID:<br>
<CAMcKhMRFBfJCV+<wbr>24XOiCubLhV2ubu+<wbr>Vt64LRr2HXYOaz=<a href="mailto:KawXA@mail.gmail.com">KawXA@mail.<wbr>gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
On Mon, 3 Jul 2017 at 15:18 Karan karan <<a href="mailto:karan7868@gmail.com">karan7868@gmail.com</a>> wrote:<br>
<br>
> #cont.set_cipher_list('ECDHE-<wbr>ECDSA-AES128-GCM-SHA256')<br>
><br>
<br>
I believe this is the correct spelling, and it works for me. Perhaps your<br>
OpenSSL does not have this cipher compiled in?<br>
<br>
If you run `openssl ciphers ECDHE-ECDSA-AES128-GCM-SHA256` do you get an<br>
error or successful cipher output?<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mail.python.org/pipermail/cryptography-dev/attachments/20170703/3bacbdab/attachment-0001.html" rel="noreferrer" target="_blank">http://mail.python.org/<wbr>pipermail/cryptography-dev/<wbr>attachments/20170703/3bacbdab/<wbr>attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Mon, 3 Jul 2017 07:11:57 -0700<br>
From: Karan karan <<a href="mailto:karan7868@gmail.com">karan7868@gmail.com</a>><br>
To: <a href="mailto:cryptography-dev@python.org">cryptography-dev@python.org</a><br>
Subject: Re: [Cryptography-dev] set_cipher_list() API Question<br>
Message-ID:<br>
<<a href="mailto:CAKFSe%2Ba%2B3_V2QcgmU3gzVu-Ei1Zz6wDFZZcV64CdmGuQjvpmiw@mail.gmail.com">CAKFSe+a+3_V2QcgmU3gzVu-<wbr>Ei1Zz6wDFZZcV64CdmGuQjvpmiw@<wbr>mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
I set : cont.set_cipher_list('ECDHE-<wbr>ECDSA-AES128-GCM-SHA256')<br>
<br>
but i see the following error in the logs :<br>
<br>
connected ('**.**.**.**', 443)<br>
Traceback (most recent call last):<br>
File "test_ex.py", line 83, in <module><br>
main()<br>
File "test_ex.py", line 65, in main<br>
cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()<br>
File "test_ex.py", line 33, in create_ssl_connection<br>
client_ssl.do_handshake()<br>
File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/SSL.py", line 1638, in<br>
do_handshake<br>
File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/SSL.py", line 1378, in<br>
_raise_ssl_error<br>
File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/_util.py", line 54, in<br>
exception_from_error_queue<br>
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert<br>
handshake failure')]<br>
<br>
However when i see in the wireshark i do the following ciphers set in the<br>
set client hello:<br>
TLS_EMPTY_RENEGOTIATION_INFO_<wbr>SCS and<br>
'ECDHE-ECDSA-AES128-GCM-<wbr>SHA256.<br>
<br>
Im using TLS 1.2 not sure why its complaining about ssv3 protocol and using<br>
and the TLS_EMPTY_RENEGOTIATION_INFO_<wbr>SCS.<br>
<br>
I'd appreciate if someone could help out on it.<br>
<br>
Thanks,<br>
Karan.<br>
<br>
<br>
<br>
On Mon, Jul 3, 2017 at 6:18 AM, Karan karan <<a href="mailto:karan7868@gmail.com">karan7868@gmail.com</a>> wrote:<br>
<br>
> Hi,<br>
><br>
> I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-<wbr>SHA256')<br>
> the cipher list using the API: set_cipher_list but im getting the following<br>
> error :<br>
><br>
> kjoshi@ubuntu64dev:~/openssl_<wbr>playground$ python test_ex.py<br>
> ------------------------------<wbr>-----<br>
> connected ('192.168.152.132', 443)<br>
> Traceback (most recent call last):<br>
> File "test_ex.py", line 83, in <module><br>
> main()<br>
> File "test_ex.py", line 65, in main<br>
> cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()<br>
> File "test_ex.py", line 25, in create_ssl_connection<br>
> cont.set_cipher_list('ECDHE+<wbr>ECDSA+AES128+GCM+SHA256')<br>
> File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/SSL.py", line 975, in<br>
> set_cipher_list<br>
> File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/_util.py", line 67, in<br>
> openssl_assert<br>
> File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/_util.py", line 54, in<br>
> exception_from_error_queue<br>
> OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher<br>
> match')]<br>
><br>
><br>
> Below is the code that i have:<br>
><br>
> cont = Context(TLSv1_2_METHOD)<br>
> #cont.set_cipher_list('0xc00e'<wbr>)<br>
> #cont.set_cipher_list('ECDHE+<wbr>ECDSA+AESGCM+SHA256')<br>
> #cont.set_cipher_list('ECDHE-<wbr>ECDSA-AES128-GCM-SHA256')<br>
> cont.set_cipher_list('ECDHE+<wbr>ECDSA+AES128+GCM+SHA256')<br>
> client_ssl = Connection(cont, client)<br>
> client_ssl.set_connect_state()<br>
> client_ssl.do_handshake()<br>
> session_ref = client_ssl.get_session()<br>
><br>
><br>
> As seen above i tried numerous combination of word separators (_,-,+) but<br>
> nothing seemed to have helped.<br>
><br>
> I would appreciate if someone could please let me know on the usage of<br>
> this.I'm sure there must be a way of sending a specific cipher.<br>
> I'm performing a test on my local apache server.<br>
><br>
> Thanks,<br>
> Karan.<br>
><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mail.python.org/pipermail/cryptography-dev/attachments/20170703/c9b5c40a/attachment-0001.html" rel="noreferrer" target="_blank">http://mail.python.org/<wbr>pipermail/cryptography-dev/<wbr>attachments/20170703/c9b5c40a/<wbr>attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Mon, 3 Jul 2017 15:34:57 +0100<br>
From: Cory Benfield <<a href="mailto:cory@lukasa.co.uk">cory@lukasa.co.uk</a>><br>
To: <a href="mailto:cryptography-dev@python.org">cryptography-dev@python.org</a><br>
Subject: Re: [Cryptography-dev] set_cipher_list() API Question<br>
Message-ID: <<a href="mailto:31B04AF2-8B9A-416C-BD0C-F7AD6527B1ED@lukasa.co.uk">31B04AF2-8B9A-416C-BD0C-<wbr>F7AD6527B1ED@lukasa.co.uk</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
The ?sslv3? text is misleading: it simply relates to the way the OpenSSL internals are structured. Similarly, TLS_EMPTY_RENEGOTIATION_INFO_<wbr>SCSV is a ?dummy? cipher suite used to signal to the server that renegotiation using RFC 5746 is supported: it?s not an actual cipher suite.<br>
<br>
This error is almost certainly due to the remote server not having an ECDSA certificate. When you say ECDHE-ECDSA-AES128-GCM-SHA256 you make it entirely impossible to interoperate with servers that use RSA certificates, which is probably not what you want to do. A more useful cipher suite string is "ECDHE-ECDSA-AES128-GCM-<wbr>SHA256:ECDHE-RSA-AES128-GCM-<wbr>SHA256?, which includes both the ECDSA and RSA variants of this cipher suite.<br>
<br>
Cory<br>
<br>
> On 3 Jul 2017, at 15:11, Karan karan <<a href="mailto:karan7868@gmail.com">karan7868@gmail.com</a>> wrote:<br>
><br>
> I set : cont.set_cipher_list('ECDHE-<wbr>ECDSA-AES128-GCM-SHA256')<br>
><br>
> but i see the following error in the logs :<br>
><br>
> connected ('**.**.**.**', 443)<br>
> Traceback (most recent call last):<br>
> File "test_ex.py", line 83, in <module><br>
> main()<br>
> File "test_ex.py", line 65, in main<br>
> cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()<br>
> File "test_ex.py", line 33, in create_ssl_connection<br>
> client_ssl.do_handshake()<br>
> File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/SSL.py", line 1638, in do_handshake<br>
> File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/SSL.py", line 1378, in _raise_ssl_error<br>
> File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/_util.py", line 54, in exception_from_error_queue<br>
> OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')]<br>
><br>
> However when i see in the wireshark i do the following ciphers set in the set client hello:<br>
> TLS_EMPTY_RENEGOTIATION_INFO_<wbr>SCS and<br>
> 'ECDHE-ECDSA-AES128-GCM-<wbr>SHA256.<br>
><br>
> Im using TLS 1.2 not sure why its complaining about ssv3 protocol and using and the TLS_EMPTY_RENEGOTIATION_INFO_<wbr>SCS.<br>
><br>
> I'd appreciate if someone could help out on it.<br>
><br>
> Thanks,<br>
> Karan.<br>
><br>
><br>
><br>
> On Mon, Jul 3, 2017 at 6:18 AM, Karan karan <<a href="mailto:karan7868@gmail.com">karan7868@gmail.com</a> <mailto:<a href="mailto:karan7868@gmail.com">karan7868@gmail.com</a>>> wrote:<br>
> Hi,<br>
><br>
> I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-<wbr>SHA256') the cipher list using the API: set_cipher_list but im getting the following error :<br>
><br>
> kjoshi@ubuntu64dev:~/openssl_<wbr>playground$ python test_ex.py<br>
> ------------------------------<wbr>-----<br>
> connected ('192.168.152.132', 443)<br>
> Traceback (most recent call last):<br>
> File "test_ex.py", line 83, in <module><br>
> main()<br>
> File "test_ex.py", line 65, in main<br>
> cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()<br>
> File "test_ex.py", line 25, in create_ssl_connection<br>
> cont.set_cipher_list('ECDHE+<wbr>ECDSA+AES128+GCM+SHA256')<br>
> File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/SSL.py", line 975, in set_cipher_list<br>
> File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/_util.py", line 67, in openssl_assert<br>
> File "build/bdist.linux-x86_64/egg/<wbr>OpenSSL/_util.py", line 54, in exception_from_error_queue<br>
> OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher match')]<br>
><br>
><br>
> Below is the code that i have:<br>
><br>
> cont = Context(TLSv1_2_METHOD)<br>
> #cont.set_cipher_list('0xc00e'<wbr>)<br>
> #cont.set_cipher_list('ECDHE+<wbr>ECDSA+AESGCM+SHA256')<br>
> #cont.set_cipher_list('ECDHE-<wbr>ECDSA-AES128-GCM-SHA256')<br>
> cont.set_cipher_list('ECDHE+<wbr>ECDSA+AES128+GCM+SHA256')<br>
> client_ssl = Connection(cont, client)<br>
> client_ssl.set_connect_state()<br>
> client_ssl.do_handshake()<br>
> session_ref = client_ssl.get_session()<br>
><br>
><br>
> As seen above i tried numerous combination of word separators (_,-,+) but nothing seemed to have helped.<br>
><br>
> I would appreciate if someone could please let me know on the usage of this.I'm sure there must be a way of sending a specific cipher.<br>
> I'm performing a test on my local apache server.<br>
><br>
> Thanks,<br>
> Karan.<br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Cryptography-dev mailing list<br>
> <a href="mailto:Cryptography-dev@python.org">Cryptography-dev@python.org</a><br>
> <a href="https://mail.python.org/mailman/listinfo/cryptography-dev" rel="noreferrer" target="_blank">https://mail.python.org/<wbr>mailman/listinfo/cryptography-<wbr>dev</a><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mail.python.org/pipermail/cryptography-dev/attachments/20170703/d372ca6f/attachment.html" rel="noreferrer" target="_blank">http://mail.python.org/<wbr>pipermail/cryptography-dev/<wbr>attachments/20170703/d372ca6f/<wbr>attachment.html</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
______________________________<wbr>_________________<br>
Cryptography-dev mailing list<br>
<a href="mailto:Cryptography-dev@python.org">Cryptography-dev@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/cryptography-dev" rel="noreferrer" target="_blank">https://mail.python.org/<wbr>mailman/listinfo/cryptography-<wbr>dev</a><br>
<br>
<br>
------------------------------<br>
<br>
End of Cryptography-dev Digest, Vol 48, Issue 1<br>
******************************<wbr>*****************<br>
</blockquote></div><br></div>